Data poisoning and backdoor attacks manipulate training data to induce security breaches in a victim model. These attacks can be provably deflected using differentially private (DP) training methods, although this comes with a sharp decrease in model performance. The InstaHide method has recently been proposed as an alternative to DP training that leverages supposed privacy properties of the mixup augmentation, although without rigorous guarantees. In this work, we show that strong data augmentations, such as mixup and random additive noise, nullify poison attacks while enduring only a small accuracy trade-off. To explain these finding, we propose a training method, DP-InstaHide, which combines the mixup regularizer with additive noise. A rigorous analysis of DP-InstaHide shows that mixup does indeed have privacy advantages, and that training with k-way mixup provably yields at least k times stronger DP guarantees than a naive DP mechanism. Because mixup (as opposed to noise) is beneficial to model performance, DP-InstaHide provides a mechanism for achieving stronger empirical performance against poisoning attacks than other known DP methods.
翻译:数据中毒和后门攻击操纵了培训数据,以诱发受害者模式中的安全漏洞。这些攻击可以使用差别化的私人(DP)培训方法(DP-InstaHide),尽管这伴随着模型性能的急剧下降。最近有人提议将InstaHide方法作为DP培训的替代方法,利用混合式扩增的假定隐私特性,尽管没有严格的保证。在这项工作中,我们表明强大的数据扩增,例如混和随机添加噪音,在仅仅经受小的精确权衡的情况下,消除毒害攻击。为了解释这些发现,我们提议了一种培训方法,DP-InstaHide,将混合式的常规化器与添加性噪音结合起来。对DP-InstaHide的严格分析表明,混合式的混合确实具有隐私优势,而使用kway混合式增扩增的训练至少比一个天真的DP机制产生更强的DP保证。因为混合(与噪音不同)有利于模型性能,DP-InstaHide提供了一种机制,可以使中毒袭击的实证性表现比其他已知的DP方法更强。
相关内容
微信扫码咨询专知VIP会员